- The audience for this post is anyone who is aware of the policy issues related to encryption and what governments call “going dark,” and who is interested in what the Australian government has proposed.
- This is not a complete analysis of the very detailed bill, but of key issues that seem pertinent. Access Now will participate in the public comment process with a more thorough analysis. (Update: This analysis is available here.)
- The first section of this post will provide an overview of what the bill would do. The second section will provide more of a narrative of what the bill means.
- To stay updated on this issue as it develops, you should follow Australian organizations like Digital Rights Watch, Electronic Frontiers Australia, Australia Privacy Foundation, Future Wise, and Internet Australia.
- If you’d like to make your voice heard, you can take action at SecureAustralia.org.au.
In July 2017, Prime Minister Malcolm Turnbull announced plans for legislation to compel device manufacturers and service providers to assist law enforcement in accessing encrypted information. In August 2018, a draft of the bill was finally introduced. Although developed to address issues related to encryption, the bill grants broad authorities that will increase government hacking. The government has requested feedback about the bill no later than September 10, 2018. The text of the 176-page bill and instructions to submit feedback are available here.
Part 1: What does the bill do?
Fundamentally, the bill would do three things:
- Create obligations for what organizations must do to assist law enforcement;
- Create warrants to allow law enforcement to seize information directly from a device; and
- Allow law enforcement to access more data through current warrants.
Section one will probably get the most attention. This section grants the Director-General of Security or the chief officer of an interception agency the power to issue two types of orders. It also allows the Attorney-General to issue a third type of order.
- Issue a “technical assistance request” that “may ask the provider to do acts or things on a voluntary basis that are directed towards ensuring that the provider is capable of giving certain types of help” to law enforcement.This voluntary help could include providing information about how networks are built and how information is stored. It could also ask that a company to do something it has the technical capability to do — such as access encrypted data if it has a key.
- Issue a “technical assistance notice that requires [or compels] the provider to do acts or things by way of giving help” to law enforcement.Whereas a “technical assistance request” seeks voluntary assistance, this compels organizations to assist and could include revealing how information is stored and networks are built. It could also compel a company to do something it has the technical capability to do — such as access encrypted data if it has a key.
- The Attorney-General may issue “technical capability notice [that] may require the provider to do acts or things directed towards ensuring that the provider is capable of giving certain types of help” to law enforcement.This seems to mean that the Attorney-General can order a company to do “acts or things” that would enable the company to comply with an order to provide help or assistance.
There are several things to note. First, both B and C above require the notice to be reasonable and proportionate. Second, the technical capability notice would prevent a recipient from revealing the “existence or non-existence” of receiving a notice with fines and jail time for those who do speak about notices. (It’s unclear whether this would prohibit “warrant canaries,” which is an indicator that would be removed once an organization received a notice.)
This section does not create any warrant or oversight process regarding the issuance of these notices other than that they must be “reasonable and proportionate.” While the Australian government has pointed to the ability of those receiving notices to use courts to challenge them, the bill creates no process for recipients to make a challenge nor does it create any assistance for courts that will have to deal with this new world of technical notices. Moreover, the standard of “reasonable and proportionate” falls short of the “necessity” requirement and other elements of human rights law.
The legislation also does not seem to be limited by what help organizations can be ordered to do. There is a section which lists some examples, but it is non-exhaustive. It does specifically allow authorities to order a company to do things like “remove … forms of electronic protection[s];” provide physical access to infrastructure; “install[], maintain[], test[] or use[] software;” and “provid[e] technical information.”
On a positive note, the legislation specifically forbids a notice to provide a “systemic weakness or vulnerability” into an encrypted system. It also specifically forbids an order to not fix a weakness or vulnerability that is discovered. Both of these provisions are laudable, as weaknesses and vulnerabilities are often sought after by law enforcement agencies (much to the protest of the tech community) in lieu of backdoors or other systemic solutions.
In an accompanying explanation sheet, the government claims the prohibition would prevent a notice from requiring a design change that would remove protections for encrypted systems. This is quite significant. For example, most encrypted services allow you to have multiple devices such as a phone and a computer. Those communications can be end-to-end encrypted between all endpoints. If the government could secretly add a new device to that conversation without your knowledge, it would be building a new door into that encrypted communication.
Additionally, the bill clarifies that these notices cannot be used to compel an organization to use a surveillance device or turn over stored data that would otherwise require a warrant. Existing law would be used to compel the disclosure of data. The government would be required to publish annually the number of technical assistance notices and technical capabilities notices issued in a given year.
An organization, whether Australian or not, that fails to comply with a notice can be fined $10,000,000. An individual can be fined up to $50,000 and, depending on the circumstances, can face up to 10 years in prison. The bill’s wide remit means companies with even minimal connection to Australia could be subject to notices and the corresponding punishment.
Part 2: What does the bill mean?
The government has worked on this bill for over a year, and it’s clear they have made an attempt to ensure that this bill does not create a systemic weakness in encrypted systems. However, the new authority could still allow a “backdoor.” In addition, the bill grants broad new authorities that make this an expansive authorization for government hacking. The government has requested feedback on the bill, but if it were to be voted on as written, Access Now would almost certainly oppose the bill for the following reasons:
- The bill would harm the security of users online.
- The bill would lead to an increase in government hacking.
- The bill could create a backdoor into end-to-end encryption despite assurances to the contrary.
- The bill creates drastic new measures without necessary oversight and accountability.
1. The bill would harm cybersecurity
The bill would require organizations to provide information about how their systems work. It would allow more people physical access to networks. It would require organizations to test and install new functionality built by the government. Each of these components, and all of them taken together certainly, would introduce new threat vectors for companies and create new vulnerabilities.
2. The bill would lead to an increase in government hacking
This bill would grant government officials power to both compel organizations to reveal information about their systems and to make changes to those systems. An organization may even be compelled to provide source code, a drastic measure the Chinese government gave itself under its own recent Cybersecurity Law. Combined with the government’s new ability to issue warrants to seize information directly from devices, this would empower Australian government agencies to develop and grow their hacking capacities without vital and necessary protections. As we have said, any government hacking must come with strong safeguards given the high risk of harm. While the orders issued under this authority must be reasonable and proportionate, there is nearly no limitation to ensure that the government would not use any vulnerabilities it uncovered around the world or share that information with its allies.
3. The bill could create a backdoor into end-to-end encryption despite assurances to the contrary
It is laudable that the bill does specifically prohibit the government from mandating a systemic weakness in an encrypted system. However, the term “systemic” grants the government leeway to undermine specific encrypted systems.
The ambiguity in the threshold of “systemic” interference would result in less trust in technologies deployed in Australia. It may be that a company could be compelled to use its software update mechanism to interfere with the system of a specific user. Such a function would undermine faith in software updates, leading users not to update. That means more unpatched systems and overall harm to cybersecurity. Any uncertainty around technology firms and developers being forced not to update the systems of users weakens cybersecurity for all.
Secondly, while the government claims changing the notification settings to remove protections would be a prohibited “systemic weakness,” the government could potentially require a company to add a ghost user without muting the notification that a new device was added to the conversation. A savvy user would certainly notice the change, but there is no prohibition that the government couldn’t require changes that impact encrypted systems. Further, the wording is unclear. It’s possible that a notice could require a company to both add a ghost device to an encrypted chat and also mute the notification to that specific user without creating a systemic weakness. It may depend on the infrastructure of the messenger service whether such a change could be done individually.
4. The bill creates drastic new measures without necessary oversight and accountability
As drafted, the bill would authorize vast new authorities with almost no understanding of the limitations, the implications, or oversight mechanisms. It is unclear who could be implicated, what could be requested, what the effects would be, and how oversight would work. If the government insists on continuing down this path, they should start with a voluntary assistance authority only with significant transparency. This would allow the government to work with companies to address digital crime. By working with organizations in a voluntary capacity, it would build good will, trust, and norms. Government could make clear what assistance it is seeking, and users would have transparency. These norms could then be established by legislation that would have much more exhaustive definitions for the types of actions the government could compel.
Access Now submitted comprehensive comments on the bill before the September 10, 2018 government deadline. Those comments are available here.